VMX-M Inbound Security Group

SOLVED
Fabian1
Getting noticed

VMX-M Inbound Security Group

Hi everyone,

 

on the Meraki dashboard, I only can see outbound traffic firewall rules, that we have to open for the communication between Meraki cloud and the AWS Appliance.

Are there any inbound ports that needs to be open to the internet? At the moment, there is an any rule from the internet to the appliance, but we would like to optimize the security group, so we only allow all needed ports. Is there a list somewhere?

 

Thanks and best

Fabian

1 ACCEPTED SOLUTION

Accepted Solutions
PhilipDAth
Kind of a big deal

Re: VMX-M Inbound Security Group

Don't forget, the VMX is a firewall.  You don't normally need to restrict traffic to it.

 

If you do wish to restrict traffic to it then configure manual NAT traversal.  Whatever port you choose, allow that in.  I would also allow ICMP for diagnostics.

https://documentation.meraki.com/MX/Site-to-site_VPN/Automatic_NAT_Traversal_for_Auto_VPN_Tunneling_... 

 

Also, be careful limiting outbound access from the Azure side.  The VMX will need to be able to talk to any IP from remote MX that has an AutoVPN association with.  If you limit this, then AutoVPN can only bring up connections if the remote end does so.

This reduces the reliability of the system.  If the AutoVPN goes down to a peer, and that peer does not detect it, then the VPN will remain down and won't self heal.  If you allow the VMX to talk outwards to everything, then if either end detects a failure either end can repair the connection.  Much more reliable.

View solution in original post

1 REPLY 1
PhilipDAth
Kind of a big deal

Re: VMX-M Inbound Security Group

Don't forget, the VMX is a firewall.  You don't normally need to restrict traffic to it.

 

If you do wish to restrict traffic to it then configure manual NAT traversal.  Whatever port you choose, allow that in.  I would also allow ICMP for diagnostics.

https://documentation.meraki.com/MX/Site-to-site_VPN/Automatic_NAT_Traversal_for_Auto_VPN_Tunneling_... 

 

Also, be careful limiting outbound access from the Azure side.  The VMX will need to be able to talk to any IP from remote MX that has an AutoVPN association with.  If you limit this, then AutoVPN can only bring up connections if the remote end does so.

This reduces the reliability of the system.  If the AutoVPN goes down to a peer, and that peer does not detect it, then the VPN will remain down and won't self heal.  If you allow the VMX to talk outwards to everything, then if either end detects a failure either end can repair the connection.  Much more reliable.

View solution in original post

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.